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ABSTRACT 



A method and apparatus for authenticating the identity of a 
remote user entity where the identity of such user entity is 
authenticated by use of information specific to geodetic 
location of the user entity but that changes constantly, 
making "spoofing" the host device extremely difficult. The 
invention is preferably implemented utilizing satellite posi- 
tioning technology to produce the identifying information. 
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METHOD AND APPARATUS FOR 
AUTHENTICATING THE LOCATION OF 
REMOTE USERS OF NETWORKED 
COMPUTING SYSTEMS 

TECHNICAL FIELD 

This invention relates to a method and apparatus for 
authenticating the identity of a remote electronic device user 
(or client) seeking electronic access to. or seeking to perform 
an electronic transaction with, a host device. Specifically, 
this invention relates to a method and apparatus for authen- 
ticating the identity of a remote electronic device where the 
identity of such electronic device (or client) is authenticated 
by use of information specific to the device's geodetic 
location but (hat changes constantly, making "spoofing" the 
host device extremely difficult. The invention is preferably 
implemented utilizing satellite positioning technology to 
produce the identifying information. 

BACKGROUND ART 

In order to determine whether a person or device attempt- 
ing to access or perform a transaction with a host computer 
system is a person or device entitled to access, most host 
computer systems require the person or device to provide 
information confirming identity. This process is called user 
authentication. In the prior art user authentication has been 
based on the following kinds of information: 

1. Information the user knows. Ibis has been the most 
common mode of authentication. Examples are passwords 
(or pass-phrases) and personal identification numbers 
(PEN'S). Cryptographic methods for authentication 
(including one-time passwords and challenge-response 
protocols) also rail into this category when implemented in 
software or hardware. Here the information possessed by the 
user is cither a code key ox. more likely, a PIN or password 
that provides access to the key (which is typically a user- 
unfriendly random bit string). For example, the keys used 
with Pretty Good Privacy (PGP) are stored in files encrypted 
under user-selected passphrases. 

2. An object the user possesses. Examples are access 
tokens, physical keys, smart cards. PCMCIA cards, and 
other hardware devices, including cryptographic devices and 
one time password generators. Dial-back mechanisms also 
fall in this category — the possessed object is a phone line 
with a specific number, Cryptographic devices are typically 
used with PfiVs to control activation of the devices. For 
example, the Fortezze PCMCIA cryptographic card requires 
a 4-digit PIN for activation. 

3. A personal characteristic. Examples are biometric 
characteristics, including finger and thumb prints, hand 
geometry, voice prints, retinal scans, and keystroke patterns. 
Handwritten signatures fall into this category, although they 
might also be viewed as based on information the user 
knows. 

None of these prior art methods is foolproof. Passwords 
and PTN*s are often vulnerable to guessing, interception 
(e.g., by sniffer programs on networks), and brute force 
search. Users frequently write down passwords and PIN* s in 
places that are not physically protected. Hardware or other 
physical objects can be stolen, and phone lines hijacked. 
Cryptographic systems can rail even when the algorithms 
are strong. Typically, their security reduces to that of PIN's 
and passwords or. in the case of physical devices, possession 
of the device, Biometric characteristics can lead to false 
positives (permitting unauthorized users) and false negatives 
(denying legitimate access). Most such characteristics are 
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vulnerable to interception and (because they do not normally 
change over time) replay of the intercepted data by mas- 
queraders. 

A method and apparatus for protecting against unautho- 
5 rized access that solves the preceding problems and provides 
a greater degree of security against unauthorized access 
would be a useful advance over the prior art 

SUMMARY OF THE INVENTION 
A system for determining the aumenticity of a cbent 

10 seeking access to a host has a client authentication means, 
with a first sensor associated with the client for sensing 
transmissions from two or more signal sources mat produce 
transmissions from which a state vector (latitude, longitude, 
height velocity (if any)) for the client location can be 

15 derived. This first sensor includes means for converting the 
sensed transmissions into first state vector observations 
having a format suitable for communication to an authenti- 
cation server associated with the host The client authenti- 
cation means also has means for communicating the first 

20 state vector observations to the authentication server. Also 
part of the system is a host authentication processor com- 
municating with the authentication server This processor 
has authentication means for receiving the first state vector 
observations and for comparing one or more attributes of the 

25 state vector contained in the first state vector observations to 
predetermined authentication criteria, and means for devel- 
oping a user authentication signal when the one or more 
attributes of the first state vector observations satisfy the 
predetermined authentication criteria. While the client may 

30 be a remote computer system user and the host a central 
computer system that the remote user seeks to access, the 
authentication system is applicable to many other situations 
where a client device seeks to establish authenticity for itself 
or a message it is sending. 

33 It is therefore an object of the present invention to provide 
for a novel and improved method and apparatus for authen- 
ticating the location of a remote client user of networked 
computing systems by requiring the remote client to provide 
a location signature obtained by a Global Positioning Sys- 

40 tern (GPS) sensor. 

It is another object of the present invention to authenticate 
the position and velocity of fixed or moving remote client 
users by employing GPS sensor devices, utilized as location 
signature sensor (LSS) devices, to intercept spread spectrum 

43 signals from a plurality of Earth-orbiting satellites (with or 
without knowledge of the code sequence used by the 
satellites) and provide the GPS data as a location signature. 

II is a further object of the present invention to provide a 
device at a host system mat performs centralized digital 

so signal processing on information provided by LSS devices 
in order to perform location determinations for initial loca- 
tion registration and to perform subsequent authentications 
of remote users, with or without knowledge of the satellite 
codes. 

55 It is still another object of the present invention to provide 
a method for labelling electronic messages with location 
signature information developed by LSS devices for authen- 
tication of the message by a subsequent recipient 
These and other objects of the present invention will 

60 become clearer in the description of the preferred embodi- 
ment below and the figures referenced therein, 

BRIEF DESCRIPTION OF THE DRAWINGS 
FIG. 1 is a schematic diagram of the present invention in 
65 an embodiment where only the client entity captures and 
provides information from a LSS for the host's authentica- 
tion process. 
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FIG. 2 is a schematic diagram of the present invention in satellites were present to provide 3-D global positioning on 

an embodiment where both the client entity and the host a nearly continuous basis. The operational satellites are 

entity have a LSS that provides LSS information for the equipped with the capability known as selective availability/ 

host's authentication process. anti-spoof (SA/A-S) which is the methodology by which the 

FIG. 3a is flowchart showing the overall logic structure of * U.S Department of Defense can decade and/or ^ "«» 

^v«h.«i enftoon. in » t W iWce to the GPS signals by receivers that are not authorized far 

the control software in a LSS device. U.S. or alUedinWtary users. There are two transmitted bands 

FIG. 3b is flowchart showing the overaU logic structure of ^ ^ saXe]lit£ .Liv*t* as LI (1575.42 MHz) andL2 

the control software for a host authentication server entity ( 1227 .60 MHz), which are derived from multiply redundant 

that receives and determines the authenticity of LSS infor- 1Q docks each satellite. The time maintained 

mation before granting host access. aboard the satellites is synchronized relative to master 

FIG. 4 is a schematic block diagram of the hardware in an clocks at the U.S. Naval Observatory in Washington. 

LSS operating on codeless processing principles that pre- D C and the National Institute for Standards and Technol- 

pares LSS information in the form of state vector observa- ^ m Cdo. GPS time is traceable to the atomic 

tions for communication to a host authentication server. J5 ^ ^ mA to Universal Time Coordinated (TJTC). 

FIG. 5 is a block diagram of the host authentication server within the LI band are two channels, a narrowband channel 

components involved in determining authenticity of state occupied by the OA code and a wideband channel that is 

vector observations communicated from a remote entity and intended for precision measurements and is occupied by 

also from an LSS under the control of the host authentication either an unclassified P code or a classified Y code. Hie L2 

server. 20 band contains only the P or Y codes and serves mainly to act 

FIG. 6 is a block diagram of the host authentication server as an ionospheric effects calibrator for the LI band. In very 

components involved in determining authenticity of state general terms, the C/A code portion of the LI band is the 

vector observations communicated only from a remote channel intended for civil use and the wideband portion of 

entity. LI and the entire L2 are for military use. 

FIG. 7 is a schematic block diagram of the hardware in an 25 b. Control Segment 
LSS operating on code-correlating processing principles that The Control Segment is responsible for the overall man- 
prepares state vector observations for communication to a a gement of the satellite constellation. In addition to main- 
host authentication server taming the health of the satellites, the main function of the 

FIG. 8 is a block diagram showing the basic components Control Segment from the user's perspective is the deter- 

of an LSS message with which a location signature in 30 ruination of the orbit elements and the estimation of the time 

accordance with the present invention has been associated. and frequency parameters for every satellite. In order to 

The above and other objects of the present invention will determine these satellite orbit and dock parameters, there is 

become more readily appreciated and understood from a a network of five globally deployed ground monitor stations 

consideration of the following detailed description of a located at Hawaii, Kwajalein. Diego Garcia, Ascension and 

preferred embodiment when taken together with the accom- * 5 Colorado Springs. Colo., which functions as the Master 

panying drawings. Control Station (MCS) operating from Falcon AFB. Each of 

these monitor sites is well known in the World Geodetic 

DETA ILED DESCRIPTION OF THE System (WGS 84). Earth-centered. Earth-fixed coordinate 

PREFERRED EMBODIMENT system, and is equipped with an atomic clock to operate the 

L Background of GPS 40 monitor site GPS receiver. Data obtained from each of these 

For purposes of the present invention, the following ™>nkor sites is transferred to tteMCS. which performs a 

introducing the GPS is useful The NAVCTAR Global simultaneous estimation of the orbit elements and atomic 

S^Systo ofme U.S. Air Force is made up of a clock states for each of the sateUites of ^J^ellatioa 

S£ of EaSbiting. s^al-transmitting satellites that 45 Once those parameters are determined by the MCS. they are 

errTaLd spectrum signals In accordance with a set of 45 goaded into the satellites for storage and subsequent 

prescribed cc^Tsee "GPS Signal Structure and Ptrf or- ^sseniination in a 30 bit r~ second fclemetry message that 

mance Characteristics^. J. J. Spilker. Navigation. Institute of is a part of the LI and L2 transmissions. 

Navigation. ISBN 0-0936406-00-3, VoL No. 2. Slimmer. c. User Segment 

1978 and 'The Global Positioning System, A Shared M The user segment refers to the actual receivers that make 

National Asset". National Academy Press, Washington D.C. use of the L-band microwave transmissions from the GPS 

1995.) satellites. In the very simplest form, a GPS receiver consists 

The GPS is composed of three principal segments that arc of a method for matching the unique code transmitted by 

described as space, control and user. The space and control each satellite. By using a receiver internal clock, the receiver 

segments are the primary responsibility of the U.S. Air 53 determines the relative time shift of the code needed to 

Force. The user segment has both military and civilian achieve that match, a process termed code correlation. In 

suppliers. general terms, all the satellites are time synchronized to each 

a. NAVSTAR/GPS Space Segment other and emit the codes at a common epoch. The GPS 

The space segment is presently a twenty-five satellite receiver, relative to its 

constelll&m existing of 24 Block II or JJA operational 60 Ume of 

satellites and one surviving Block I prototype space vehicle, derives a biased estimate of ^ tune shift to it^ to »di 

which is more than 10 years old. Each of U^ space vehicles satellite to form the quantity known as a -pseudo range, 

of the constellation is in a 12 hour period orbit with a once The term "pseudo" is used to denote the fact that the 

per day repeating ground track. The satellite constellation is initially measured ranges are all false, because the clock 

arranged in six orbital planes inclined at 55 degrees. In 1994. 65 internal to the GPS receiver is in general not synchronized 

the constellation was declared to be operational, indicating to GPS satellite time. The receiver's function is. of course, 

that at least 24 space vehicles of Block II and Block I to produce positional information (latitude, longitude and 
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height). It does this by receiving pseudo ranges from four or is a need for positioning quality of 1 to 100 mm no single 

more GPS satellites, so mat four or more observations are receiver pointing options are possible, because the GPS 

available to solve for the four unknowns; three position constellation orbits cannot be determined by any method to 

terms and one receiver clock term. Within the 50 Hz that same 1 to 100 mm accuracy. Another issue is the 

message from each satellite is orbital information previously 5 stability and accuracy of the 00 -orbit atomic clocks to be 

uploaded by the Control Segment that allows the user commensurate with 1 to 100 mm positioning accuracy. This 

receiver to calculate the geocentric position and velocity of requires synchronization maintenance to better than 03 

the satellite being received. That message also contains nanosecond. 

individual satellite dock parameters so that the time of flight The methodology of differential DGPS has been devcl- 

of the codes from the satellite to the receiver can eventually 10 oped to allow common mode cancellation of these major 

be interpreted as range. The four or more GPS satellites must error sources, such as satellite clock instabilities, including 

be well distributed across the sky in a geometric sense for the SA imposed intentional pseudo range dither effects. In 

this simultaneous estimation process to function accurately. the case of the orbit error source. DGPS affords attenuation 

The necessity to estimate the clock parameter of the receiver with a magnitude dependent upon the baseline separation 

also enables an important additional benefit of GPS, that of between the two receivers. The attenuation of the orbit error 

precise time transfer. is proportional to the ratio of the baseline length to the height 

The accuracy with which this process proceeds can be of theGPS satellites, which am at altitudes of approximately 

affected by a variety of errors, some that arc 20,000 km. As an example, for a baseline separation of 1 00 

quences of physics . such as the transmission media of the ****** * of « cdve f s ' * 50 » «h*«* error in the 

troposphere and ionosphere and some from the inability of M broadcast message, perhaps imposed by SA policy, would 

the MCS to accurately forecast orbital elements and dock contribute a 25 cm baseline measurement error. In the 

states of the satellites. However, mere arc some other errors <* SA - Ac MCS appears to have a 5 to 10 m 

whose source is intentional degradation of unauthorized f^"** m dctCTI ^ mc Employing 

receivers. This degradation is implemented by the methods "xomplishes dismission media error attenu- 

of selective availability (SA) to distort orbit elements, sat- „ **oo because fte troposphere and ionosphere tend to be 

ellite clock information and introduce dither to the pseudo similar on scales of 1 to 30 km. By exphat differencing of 

ranging. Because of the concern that an adversary could P 8 *"* 0 ******* transmission media effects tend to cancel 

counterfeit signals such as the unclassified P code and ouU and for dcdmctCT accuracy, no explicit transmission 

thereby spoof receivers into improper operation, the Depart- ***** calihratioiis are required. However, for high accuracy 

ment of Defense design utilizes a classified Y code to control M surveys where centimeter accuracy ^ needed, e*phcit cah- 

acccss to the full accuracy of GPS. When the Y code is orations for the ionosphere are required. LI and L2 pseudo 

introduced into the wideband channel. P code receivers wfll ranging and carrier phase data extraction meet that goal, 

fail to acquire any data. The transition from P code to Y code Algorithms have been developed to use low elevation angle 

is known as anti-spoof (A S). to dcrive me trcfK>spheric parameters. 

The signals being made available to the civil community 35 ^ U S Pat No 4.797.677. titled ^od and Ap^atus for 
are termed the Standard Positioning Service (SPS). with ^vmg Pseudo Ranging froinEarth Mdu| : Satellites, 
accuracy limited to 100 m. 2-d RMS. Signals intended for a*"" 1 * M ^ventors: P. F. MacDoran and D. J. Smtzmesser. 
military use are termed the Precise Positioning Service issued 29 Jan. 1989 (and mccrporated herein by reference). 
(PPS) and have an accuracy of 21m. 2^1 RMS. During the describes a system for curving pseudo ™8^^ u ^^ 
many years of the GPS development phase, the wideband 40 <* ^ ^modulation carried by the GPS 
channel used die unclassified P code. The civil community si 8^^ Thus, it has been shown that both code-correlating 
became eager users of P code receivers and found many codeless j D ** hods 0811 1x5 . uscd to P 05 ^? 
applications for their precision and accuracy. However, the mation frwnO^S data. With either approach, the GPS user s 
operational satellite constellation has made the transition goal is to capture GPS information and determine from it a 
from transmitting the P code in the wideband channel to 43 " state vector." The "state vector" is a description of the 
transmittmgttecla^ P hvsical * a I^cular object with reduce to 
Department of Defense had consistently stated, for more some frame of reference, usually EarUVcentered. Preferably, 
than 10 years, that the P to Y transition would occur and, me **** vectQr ^ iaa ^ t not ™% location in three 
thus, the P code would no longer be available to civil users. dimensions, but also the object s velocity and acceleration 
Umlerstandably. the civil community was very reluctant to 50 (lf ^ It may also include agonal Morton regard- 
give up those P code advantages and suffer the loss of their m 8 dectromc^athibutes of me oevice (sensor) that is 
investment in that expensive equipment f"* 1 ™* the GPS dat* e.g oscillator frequency offset 

Even without the inmosition of SA/A-S on the GPS "Vernal range bias and data latency, 

signals, high precision GPS operations have never found K Overview of Invention 

PPS performance of 20 meter accuracy to be of any value. 55 a. General Principles 

Where the accuracy requirements have been for decimeters To provide a foundation for the following discussion of 

to millimeters, it has always been necessary to employ the invention, it is useful to define certain basic terms to be 

differential GPS (DGPS) methods. In which the independent used: 

observations of GPS transmissions received at two separate "Entity" means an electronic device, typically a computer 

receiver locations are combined in the calculation of loca- 60 or network system that has means to be externally connected 

tion. to other electronic devices, including gateways, remote 

The principal motivation for DGPS methods stems from computers, modem host servers, etc This definition does not 

the fact that operating in a single receiver mode results in a extend to mdividual users mat operate an entity, because the 

one-to-one mapping of orbit and clock errors into the invention does not have the ability to authenticate an indi- 

derived receiver position. In a very general sense, satellite 65 vidnal person. 

orbit errors of 10 m and clock errors of 30 nsec both result "Client" means an entity requesting access or services 

in approximately 10 meters of positioning error. Where mere from a host entity mat will not provide the access or services 
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without authentication of the client. Usually, the client is The basis for signature generation at the client LSS is the 

"remote" from the host, but in some cases the physical state vector or location coordinates (latitude, longitude, and 

distance is small and the remoteness signifies an adminis- height) of the client. There can be no expectation that such 

trative distinction between host and client locational details can be held as secure informauon. 

. , However, because the GPS satellites signals are continu- 

"Host" means an entity providing access or services; 5 ^^^XVc^e client and host sites, the state 

typically a client requests access to the host The host is y ^ ^^ 0ttS from an LSS at either site are also 

protected by a host authentication server that responds with ^^0^ changing. The host site, protected by the host 

a request for authentication information from the client authentication server, challenges a diem seeking access to 

"State vector observations" means certain GPS data that transmit the state vector observations of the client's LSS. 
is captured by an LSS device and processed to make It 10 upon receiving these, the authentication processor solves 
suitable for communication and further processing. State for the state vector (usually, latitude, longitude, and height) 
vector observations are "raw" in the sense that while the of the LSS device at the client site by processing into a state 
directly received GPS transmissions have been processed vector the GPS state vector observations transferred from 
somewhat (eg., compressed), the observations have not the client to the host authentication server. The authentica- 
te resolved into a state vector. 13 tion processor at the host then applies its predetermined 

In the present invention, codeless GPS signal processing authentication criteria to the state vector to, detexniine 

in roc prescni "* vcnu ""- • * ^« * fTJli^ an 5 authenticity. Where the state vector is latitude, longitude and 

techniques have been adapted to unplementa methodand ci J^£ authentication criteria used by the host will 

apparatus by wmchitisp^letore^vcGK signals from ™ ^kS!h>ngitude and height of all autho- 

all satellites above me horizon and perform a coinpression of M dients togcthcr Mth some proximity criteria. Thus, 

the spectra from the satellites by nearly a f actorof one ±m DOt be an exact match between the state vector 

million to one and then to digitally format and buffer these developed from the client's stale vector observations and the 

raw data in a form described as digital state vector obser- predetermined authentication criteria. The proximity criteria 

vations. State vector observations developed at a client can oefine "close enough," based on the particular host's secu- 

be transferred to a host authentication server upon being ^ nty requirement. 

challenged by the host. (The spectral compression is neces- Simply transferring the client's position (latitude, longi- 

sary for efficient communication of the state vector obser- tude and height), will not gain a client access into the host 

vations over the relatively slow communication lines com- system. Therefore, preexisting knowledge of a remote cli- 

monly used.) The host then performs the processing to a ent's geodetic location is of no utility to potential unautho- 

state vector that reveals the remote client location. M rized users. If the LSS device is stolen, it cannot be used in 

The present computer network security invention anthen- a different location in order to gain access. In this case, the 

ticates by client location. In the mode of fixed site-to-site geodetic location derived from the stolen LSS device will 

usage, each site is essentially an endave. The client enclave not match the location stored ^^^^ c ^^» 

isTgeodetic location that is authenticated to a host and server and w^^ the posit ton. ^^ dt ^ N ot ^^ 

traditional security methods (i.c, guards checking badges) „ system access be dented, but the location of the fraudulent 

are^loyed^rcr^ who is physically alk>wed^ccessiDto 35 party can then be known and can be passed to law enforce- 

the enclave. PON's or forms of encryption can always be mcnt 

used with the system. Thus, if a fraudulent act issues from The signature pattern from an LSS cannot be intercepted 

an authenticated enclave, the enclave location of the bad at one time and used at a later time in order to gain access, 

actor is immediately revealed. If someone was using an ^ Because of the dithering of the GPS signals by the U.S. 

uiiauthorized PIN and/or transaction encryption, men the Department of Defense, the pattern created by up to 12 

enclave principle of a "collection of trusted individuals'' has different satellite signals arriving at any given location is 

been violated. There arc of course, conventional methods constantly changing on a nullisecond by millisecond basis 

for discovering the responsible party and dealing with and details of the combined multiple satellite transmissions 

violations of trust within a limited set of mdividuals. These are unique to every point on Earth. A location signature that 

are outside the scow of this invention. is even 5 nuTliscconds old will be cornpletely useless for 

This invention involves a methodology for generating spoofing the system and will result in a failure to gain access 

one-time locational signatures (passwords) to authenticate or a terminated computer connection. In five mffliseconds 

the location of a cUem^g^ia before perrnitting the client the ^ state vector will jfcange by 

to gain access to a host, such as a LAN. enterprise network M which for high security applicauons may well ^ ou^de the 

or debuted database. In contrast to existing random digit 1 meter accuracy that could be imposed by authentication 

signature generators, this invention utilizes the client's gco- criteria. . . _ . 

detic location as the basis for initial registration of the client A key advantage of the system is that it simplifies the 

and for subsequent log-in authorizations for access to a host conventional password system for management for network 

computer network or other protected enclave. The geodetic 55 systems, in several ways. 

location (latitude, longitude, and height), derived from mill- L The location aumentication process within the system 

tiple microwave satellite signals of the GPS, is the remote can be transparent to system users (functions without the 

client's key to forming an acceptable signature. Every knowledge of or interaction by the user), 

location on Earth has a unique situation for formation of a iL There are no traditional passwords or PIN' s for users to 

signature created from transmissions from multiple satellites ^ remember and periodically change or for administrators to 

at any given instant in time. manage. 

There are two primary components to the invention: iii. User location information docs not need to be 

(1) the location signature sensor (LSS) that develops state protected, because the constantly changing LSS device 
vector observations; authentication parameters are the password. 

(2) the authentication processor for processing state vec- 65 iv. Encryption of the password is not required, because it 
tor observations and deterndning authenticity of a client is continuously changing, everywhere unique, and non- 
attempting access to a host repeating. 
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v. Because the system does not rely on encryption always used as the authentication criteria (along with what- 

technology, no administratively burdensome key manage- ever proximity criteria have also been established), 

raent is required. Using the authentication techniques of the present inven- 

The invention is an alternative to random password gen- tion adds minimal time overhead to a client-host exchange: 

craters and will complement data encryption systems that 5 (a) about 2 minutes for a typical initial site log-in regis tra- 

are in current use. In addition, cryptographic systems are tion; and (b) a few seconds for normal authentication, to 

governed by strict export controls. The present system has include data transmission from the client and processing at 

no requirement for data encryption; although* for certain the host The host authentication server will indicate authen- 

applications. a user may desire to encrypt authentication tication in process and indicate when the client's LSS data 

criteria or the communications channel that is used during 10 have been received, processed into a possible geodetic 

and after authentication. location signature and tested for correspondence with the 

As noted above, the authentication processor at the host authentication criteria, typically a table containing the 

applies rxedeterrnined authentication criteria, which will latitude/longitude/height coordinates of "authorized cli- 

indude proximity criteria. The proximity criteria are «ts. w For reasons of overall system security, it is probably 

affected by two primary factors. Rrst the proximity criteria 15 advisable to encrypt the file that contains the geodetic 

must take into consideration the accuracy limitations of the positioning or other authentication criteria for the aumenti- 

state vector observations and of the authentication proces- cated clients. 

sot's computations to develop state vectors. Second, the b. Introduction to Components 

proximity criteria must take into consideration the security As a general introduction to the more detailed description 

requirement To be authenticated, must the client be located 20 Q f implementation of the present invention in an embodi- 

in a particular city, a particular city block, a particular office ment using a single LSS at the client site and another 

building or a particular office in the office building? Must the embodiment using an LSS associated with the host as well 

LSS be located in a particular corner of a particular office as the LSS at the client site, reference is made to FIGS. 1 and 

window? „ 2. 

25 

Depending on the proximity criteria, a DGPS process may in FIG. I, spread spectrum microwave signals 102 from 

be used, because it permits higher accuracy of state vector the GPS satellites 101 which are above the horizon and 

determination due to common mode cance l l a t io n of major transmitting (for simplicity, only one satellite is shown in 

errors sources. But DGPS requires state vector observations fig. 1) arrive at client authentication means 140, being 

from two LSS's. one located at the client and the other x sensed by an LSS 103 equipped with a microwave L-band 

associated with (and usually located at) the host Thus, there antenna. LSS 103 is located at the remote client site and 

are cost implications to DGPS. Whether or not DGPS is used contains GPS signal sensor and processing circuits (as 

to increase accuracy of state vector deTennination. the choice described in greater detail below) that produce digitized 

between code-correlating or codeless technology will also state vector observations 105. The preferred form of the 

affect accuracy. With codeless technology, mere is access to 35 client authentication means 140 has the necessary driver 

the P(Y) signal transmissions and higher precision is avail- hardware and firmware 106 to format and send digital 

able. In a civilian application environment conventional packets con taining the state vector observations through a 

code-correlation technology only provides access to C/A channel 107 and a communications interface 108. onto a 

code pseudo ranging. The inherent precision of a C/A communications channel 109, upon being challenged by the 

receiver's state vector observations are typically five to ten ^ host authentication server 150, such as that illustrated in 

meters when processed in a DGPS mode, compared to FIG. 5 to be hereinafter described. At the host authentication 

sub-meter precision for codeless mode processing with server 150. a cornmunications interface 110 transfers the 

access to the P(Y) channel. received state vector observation digital packets on channel 

DGPS processing is desirable not only because of the 111 to the client access control module 112 for signal 

greater opportunities for higher precision but because the 43 processing (to be described later) and authentication verifi- 

two separate state vector observations make spoofing more cation by authentication processor 114 in order to grant or 

difficult. It is therefore preferable, from a security viewpoint deny the client access to me channel 116 to the host system 

to use DGPS. In addition, with either DGPS or the approach (not shown). The access control module 112 communicates 

using state vector observations from a single LSS at the with the authentication processor 114 on channel 113, 

remote client site, the codeless approach is preferable, so receiving the authentication signal on line 115. If authenti- 

because its implementation is simpler and results in a more cation is successful client user data 104 are passed by driver 

fundamentally raw form of state vector observations being 106 and cornmunications interface 108 onto channel 109. to 

sent to the host pass through the access control module 112 and reach the 

For fbied client sites, the authentication criteria applied at host 00 channel 116. 
the host can be established in a variety of ways. Client site S3 In contrast to FIG. 1. FIG. 2 shows a system in which GPS 
GPS data or map measurements can be provided to a host data are captured at two separate locations, making DGPS 
authentication server database before the first client log-in is location processing possible. In FIG. 2, spread spectrum 
attempted. Another possible approach for many situations is microwave signals 202 and 217 from the GPS satellites 201 
to perform a log-in registration process where reliable which are above the horizon and transmitting (again, for 
personnel at the client site ensure security and valid state 60 simplicity, only one satellite is shown in FIG. 2) arrive at 
vector observations at that end. Log-In registration thus client authentication means 240 and host authentication 
proceeds by having the host authentication server ask the server 250. being sensed by LSS 203 and LSS 218. re spec- 
remote client to provide a set of state vector observations. tively. Each LSS is equipped with a microwave I^band 
These are processed at the host authentication server into a antenna and has GPS signal sensor and processing circuits 
state vector that is stored in an authentication criteria table 65 that produce digitized state vector observations. In its pre- 
as the required location signature for that client Following f erred form, LSS 203 has the necessary hardware and 
this log-in registration, the stored location signature is firmware 206 to format and send digital packets containing 
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the state vector observations 205 through a channel 207 and on-orbit clock instability and attenuates the errors in the 
a communications interface 20* onto a communications satellite broadcast orbit elements. Using software intensive 
channel 209 upon being challenged by the host authentica- digital signal processing and modern simultaneous muni- 
tion server 250. such as that illustrated in FIG. 5 and to be parameter estimation methods, these analysis methods allow 
hereinafter described. At the host authentication server 250, 

3 near land survey quality positioning, 

a communications interface 210 transfers the received state m codeless DGPS Embodiment 
vector observation digital packets on channel 211 to the 

cUem access cc«tro^ a. General Description of Signa^ Processing 

described later) and authentication verification by authenti- Although not all security applications of the present 

cation processor 214 in order to grant or deny the client 10 invention will require the extra accuracy of DGPS 

access to the channel 216 to the host system (not shown). technology, because of the possibilities of greater accuracy 

The access control module 212 communicates with the and security, the DGPS configuration of the invention shown 

authentication processor 214 on channel 213. receiving the in FIG. 2 is the preferred embodiment R^cmng now to the 

authenticauon signal on line 215. In addition, the host embodiment of the invention shown in FIG. 2. further details 

authentication server 250 receives state vector observations 13 of codeless signal processing in that environment will be 

via channels 219, 221. and communications interfaces 220. explained. 

222 from LSS 218. which is under host control. In accordance with the present invention, applicants have 

The host processing functions illustrated in FIG. 2 pro- devised a method and apparatus for developing a location 

vide for the possibility that the two LSS devices 203, 218 signature of a remote client and testing the authenticity of 

could both be remote from the host authentication server 20 that signature at a host site by processing the raw state vector 

250. For example, a remote client on the other side of the observations provided as the location signature. A LSS 

Earth from the host authentication server 250 would have device in the client authentication means at the remote client 

few satellites in common view with the host authentication location and another at (or associated with) the host authen- 

server 250. Therefore, it is advantageous to place LSS 218 tication server site intercept wideband spread spectrum 

at a site other than the host that has a reasonable amount of M signals transmitted from a plurality of satellites passing 

common view satellites relative to LSS 203 at the remote above the horizon. Without using knowledge of the code 

client. In mat manner, the location of LSS 203 is determined sequence of the satellites, each LSS device prepares the 

relative to the location of LSS 218, with raw GPS data from spread spectrum signals as digitized state vector observation 

each source communicated via channel 209 and channel data. Each LSS device proceeds by compressing the wide- 

223. respectively, for authentication processing in authenti- 30 band GPS signals received from the satellites into a narrow 

cation processor 214. band by a cornprcssion ratio of at least 100.000: 1. preferably 

In sum, the apparatus and methodology of the present at least 280.000:1, removing any frequency bias with a 

invention all(*v7r7mote client to use a complex set of raw reference oscdator having a ^^f^^' ; *f 

satellite observations to create a digital location signature prevents the baseband from passing into a negative fre- 

that is transferred to a host authentication server, upon being 35 <W space, fonmng ' 

challenged by the host authentication server. The host comprised of sine wave sinpcrpositions and men pricing 

authenOcatiob server then employs digital signal processing an analog-to^igital converted representation of the sine 

and multi-parameter simultaneous estimation methods to wave superpositions. 

derive the three dimensional vector separation between the The LSS device at the client authentication means buffers 

remote client and host authentication server sites. If the 40 a few to several hundred seconds of these state vector 

digital response transferred from the remote client can be observations within a storage buffer. The client LSS device 

processed into a location signature that matches the previ- then transfers the contents of the buffer upon challenge by 

ously registered authentication criteria, then access to the the host After receiving the client's state vector observa- 

host is granted. However, if the remote user is unable to tions and obtaining any necessary state vector observations 

respond with appropriate raw digital GPS data or responds 45 from the LSS device associated with the host the host 

with raw signature data which does not process to the authentication processor then performs digital signal pro- 

raxdetermined authentication criteria, the host authentica- cessing to produce spectral lines composed of amplitude, 

tion server denies host access. frequency and phase values. Then each spectral line is 

It may be noted that the processing of LSS data to derive associated with an individual GPS satellite by (1) generating 

posmoning is similar to a land survey application. In the 50 a model spectrum including a frequency offset value corre- 

U.S. Pat No. 4.797.677 the codeless methodology was spending to the frequency offset value of the reference 

utilized to create a land survey product (Model 2002 manu- oscillator based on the approximate (or previously 

factured by ISTAC Inc. in Pasadena, CanX). which was registered) location of the remote client and on posiUon and 

capable of achieving accuracy of a few centimeters. The velocity of the satellites (as derived from the mdividual 

present invention calculates positional data in substantially 55 satellite orbit elements); (2) comparing the spectral lines 

the same manner as the ISTAC Model 2002 but performs in with the digital model spectrum values to determine me 

real time and does so with reference frequency oscillators identity of each satellite corresponding to each spectral JKne; 

that are less accurate and stable than the rubidium oscillators and (3) estimating the reference oscillator frequency offset 

of the earlier ISTAC Model 2002 systems. However, like the value. The host authentication processor then dctenmnes the 

BTAC Model 2002 systems, this invention can provide a 60 state vector for the client: a three dimensional baseline 

differential GPS (DGPS) positioning system. The LSS vector and a velocity (if any). This state vector can then be 

device output is composed of the compressed raw observa- measured against pre-detennined authentication criteria, 

tions of the multiple GPS satellites in view. Thus, when the The client LSS device creates a continuously changing 

host authentication server processes the remote client locational signature, which is different at every location on 

signature, it is doing a full DGPS solution by explicitly 65 Earth and is reduced to a precise state vector by processing 

forming a satellite by satellite differential C/A and P(Y) at the host The client LSS device can be configured to 

pseudo-ranging observable that eliminates any SA dithering. produce the state vector observations comprising the signa- 



08/16/2004, EAST Version: 1.4.1 



5.757,916 

13 14 

tare in a wide variety of formats, for example, a 2000 byte ASCII terminal mode, then the software terminates the 

signature every 10 seconds, resulting in approximately 2 connection at step 320. 

million trillion potential combinations. This signature is For clients who are attempting to access the host from a 

transferred to the host within a few seconds, depending upon non-registered location (Le., seeking unauthorized access) 

the client-to-host channel capacity. For example, at a com- 5 the authentication process at step 316 will continue until a 

munications rate of 14.400 bits per second, the signature is time-out is reached. The host continues to request state 

transferred in 1.7 seconds. Within two seconds, the host observations to get a tlx on the unauthorized client location, 

processes the signature to a state vector from which the The time-out interval can be set in the configuration file and 

authenticity of the location of the client-signature generator might be a few minutes. Messages can be displayed during 

can be verified and host access granted or dented based on 10 this process which will falsely allude that the host is still 

authentication criteria that comprise a predefined location attempting to authenticate. 

with proximity criteria, jj mc ^ registration mode at step 322 is selected, the 
Before turning to a detailed description of the hardware client connects to the host at step 324 and then sends a 
used to implement the invention, it is useful to have an registration request at step 326. The host uses a token 
overview of the software logic. Separate descriptions of the 15 passing procedure with the client to estimate the crosslink 
software logic for controlling the client authentication time bias at step 328. Once this is complete, the host 
means 240 and host authentication server 25 1 arc presented. (assuming the registration request is granted) will invite the 
b. Client Software Overview client to transmit registration data at step 330. Upon comple- 
Rcfcrring now to FIG. 3* the client software is a Win- M tion of this, the client terminates the connection at step 320. 
dows (trademark of Microsoft Corporation) based c. Host Authentication Server Software Overview 
application, which allows the client authentication means FIG. 3b shows control flow of the host server authenti- 
240 to make an Ethernet connection to the host aumeutica- cation software, which initiates and performs the authenti- 
tion server 250 by using a TCP/IP protocol and attempt to cation process and provides an ASCII terminal interface 
gain access. Embedded within this application are the nec- ^ service if the client is properly authenticated. In addition, the 
essary objects to develop and communicate state vector host server software also supports an automatic client log-in 
observations. registration procedure, which can be accessed from the 
RG. 30 illustrates the control flow for the client software. software. The host server software is an answer only 
When the software is started 301. the program splits into two application, and will not respond to any action unless the 
primary execution paths, one for the user interface and the 30 correct initiating sequence is supplied by the client software, 
other for LSS data collection. The software continuously Upon startup, the host server software splits into two 
stores the location signature data (state vector observations) application paths: the remote client/host server procedure at 
in a buffer, which can be defined in the program configu- step 362 and the LSS device interface at step 350. which 
ration file. The buffered data stream allows the remote client provides the interface to the location signature sensor asso- 
to send state vector observations to the host at a "faster than 33 dated with the host The LSS device interface at step 350 
real time" rate in order to reduce the connect time. (That is, can be configured to collect and store state vector observa- 
a segment of buffered data may represent X seconds of tions (raw GPS data) from the LSS associated with the host 
real-time observations, but the elapsed time for transmitting in a file on disk for archiving and data processing. Through- 
the "X-second"* segment may be much less than X seconds.) out the execution of the program, state vector observations 
The user interface portion of the software employs graphical 40 are continuously collected from the LSS device associated 
user interface standards consistent with Windows with the host authentication server site, 
(trademark of Microsoft Corporation) applications. The FIG. 3b Illustrates the control flow of the host authenti- 
operator selects from three possible activities: 1) Access cation server software. The remote client-to-host authenti- 
host; 2) Log-in Registration; and 3) Exit Program. cation server procedural path is the execution path that 
In the access host mode, the client software attempts to 45 manages client access to the host After startup at step 360. 
gain access to the host. It is assumed that the remote client the host software initializes the host server at step 362 and 
has been previously registered with the host authentication enables the modem to which a client will connect for 
server through a log-in registration procedure to be auto-answer at step 364. The software then goes into wait- 
described later. The client inmates TCP/IP access at step 304 until-called mode at step 366 with a decision loop to test at 
and connects to the host at step 306. then sends an access 50 step 368 whether a connection from the client to the host 
request code. The host will challenge the remote client with authentication server has been made. If there is no 
an authentication request at step 319. requiring it to respond connection, the wait-test loop continues. If a connection is 
with appropriate LSS data (state vector observations), at made, the software tests the request code to sec if it is proper 
which point the client will begin to follow a set of transfer and. if proper, what request has been made at step 37*. If 
procedures controlled by the host First the host uses a token 55 there is no proper request the software terminates the 
passing procedure with the client to estimate the crosslink connection at step 396. 

time bias at step 312. Once mis is complete, the host will If a valid request code for client authentication at step 372 

challenge the client to respond with state vector observations is present the host sends an authentication request at step 

derived from LSS device raw GPS data. The client sends 374. The host uses a token passing procedure with the client 

digitized state vector observations at step 314. If the client 60 to estimate the crosslink time bias at step 376. Once this is 

site is verified to be where it is registered, the authentication complete, the host receives state vector observations and 

process is completed within a few seconds, and access is uses the authentication processor to develop the client state 

granted at step 316 on an ASCII terminal basis at step 318. vector and apply the authentication criteria at step 378. The 

The time required to p erform authentication will vary based result of the authentication processor's execution is either 

on the consistency of the current state vector observations. 65 the presence of an authentication signal or its absence, 

compared to what was measured as part of the original log-in indicating no authentication, at step 380. If an authentication 

registration process. If access is denied or the client exits signal issues, the host provides ASCH terminal access at step 
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382 to the client. If do authentication signal issues, the client channel centered at 10.23 MHz with a reference frequency 
state vector was not accepted under the authentication of 10.22995 MHz, the actual frequency being generated is 
criteria, and the host authentication server software termi- uncertain by approximately 1 Hz for a 0.1 PPM reference 
nates the connection to the client at step 396. source accuracy. The baseband signal bandwidth that con- 

, A _ . * ^ . , tains the state vector observations to be eventually processed 

If a valid request code for client n^str^on at step 384 is 5 ^™£on Velocity Morrnation is esscitSly con- 
present, the host uses a token passing procwlure with the ^^^±21 Hz for a static. Earth-based site exploiting 
client to estimate the crosslink bias at step 386. Once this is ^ ^ dwnDel% ^ ^ pseudo-random noise (PRN) 
complete, the host receives the client's state vector obser- chippin g frequency of 10.23 MHz. and ±2.7 Hz for the C/A 
vations and from that calculates to determine the relative cnannei> with ^ ending frequency of 1.023 MHz. 
geodetic position of the client at step 390. This is an iterative 10 ^ 4 shows m schematic block diagram form the 
calculation, so the software determines whether the result of hardware for an LSS device 40* using the preferred codeless 
the positional determination has converged at step 392. If it technology. The antenna 401 is configured for approxi- 
has not. the software receives additional state vector obser- mately 20 MHz bandwidth reception at LI (1575.42 MHz) 
vations and again calculates to determine the relative geo- and/or L2 (1227.6 MHz) right hand circular polarization 
dctc position of the client. If the positional determination 13 (RHCP) and is assumed to have no appreciable gain (0 dB). 
has converged, then the host software registers the location The signal from antenna 401 goes to a low noise amplifier 
in the database for authentication criteria at step 394 and (USA) 402 with a gain of 20 dB and a noise figure of 1.5 dB, 
terminates the connection to the client at step 396l which is equivalent to 122 Kelvins noise temperature. The 

The invention can be manifested in both hardware and output of LNA4Q2 goes to a heterodyne down converter 463 
cJ^rTr™*^* *a «imnoit a wide ranee of network 20 using an active, double-balanced mixer and having a con- 
software products to support * ™« ™£ Zj^Z version gain of lg dB. It is driven by a local osdllator 
platforms to include ^?^^J^^^ opting at 1556.42 MHz, which may be free-running or 
systems and peripheral devices for conjunctions, inter- fom Ac refexcnce oscillator 414. The stability 

networking, and security. requirement for this local oscillator derives from the require- 

Thc standard host software is for use in performing initial ^ ment that a majority of the spread spectrum signal power 
authentication of clients requesting host access at the time from mc qpS satellites arrives within the first intermediate 
connection to the host is first requested. In many systems amplifier bandpass of the sensor. 

authentication only at this time will be sufficient However, 0 f ^ c pry) channel spread spectrum signal is 

for systems seeking a higher level of security, the standard 20.46 MHz between the first nulls and is 2.046 MHz for the 
software can be supplemented with optional upgrades for M q A channel. Following the heterodyne conversion stage 
continuing, periodic authentication and two-way authenti- 403 the signal goes to the first intermediate frequency (IF) 
cation. With the latter, the same authentication mat the host amplifiers of spectral compressors 4*4 and 405 at a center 
requires of the client is reversed, to that the client also frequency of 19.0 MHz. Compressor 405 performs spectral 
requires that the host provide a location signature for authen- connxession of the P(Y) channel signaL The bandwidth of 
tication. 35 the first IF is approximately 20 MHz so as to pass the 

d. LSS Hardware majority of the central lobe of the P(Y) spread spectrum. 

The host authentication server could be a stand-alone Compressor 4#4 performs spectral compression of the C/A 
gateway functioning as a transparent front-end security channel signaL For the C7A channel, the width of the first IF 
processor for a host entity, and as a hardware module with is 2.0 MHz, so as to pass the full width of the spectra 
host authentication server software for secure network envi- ^ between the first nulls. The details of the effective spectral 
ronments. The LSS may exist in several different form compression achieved by the delay and multiply operation 
factors. The LSS can be a stand-alone device similar in size are given in U.S. Pat No. 4,797.677 (which is incorporated 
to a desktop modem unit The LSS may also exist in a PC herein by reference). 

card form factor, a PCMCIA card format for laptop com- The choice of the center frequency of the first intrrrae- 
puter use in remote client or mobile host server applications 45 orate frequency is not completely arbitrary; rather it is 
or can be configured into a single microchip for integration constrained by the delay and multiply architecture employed 
into original equipment manufactured products. to recover the 10.23 MHz chapping frequency used to create 

The form factor of the LSS consists of an antenna/sensor the spread spectrum of the GPS satellite signal. To maximize 
unit to be placed outdoors or at in indoor location with the chipping frequency signal recovery, it is necessary to 
adequate GPS satellite "view", and a small driver/ 50 split each channel into two signals and delay one signal path 
communications unit that is interfaced to the host server by an amount of time equal to one-half of the P(Y) or C/A 
computer through either a specialized internal board or a chaniiel chip period or 49 nanoseconds or 490 nanoseconds, 
serial RS 232 data cemmunications port. The introduction of respectively. Within compressors 404 and 405 are filters 
the LSS device into an overall system may be within the composed of passive elements (inductors and capacitors) to 
gateway network or firewall function or some other portion 55 perform this delay function. The frequency corresponding to 
of the network architecture that will be defined by an a period of 49 nanoseconds is 20.42 MHz. However, because 
individual product application. In all situations, the primary a down conversion frequency of 10.22995 MHz will be 
function of the LSS is to produce digitized state vector subsequently used in the sensor, there is the possibility of 
observations for downstream processing. second harmonic power being present which will have a 

In the preferred, codeless design of the LSS hardware, it 60 desensitizing effect upon the second IF stage Thus, the time 
is desirable to employ as simple a device as possible. delayed path through the filter is phase-shifted by 'one full 
composed of a hybrid combination of analog and digital wavelength at the first IF amplifier frequency ofl9 MHz and 
cfraSryin the manner described in U.S. Pat No. 4,797.677, 10 full wavelengths for the 490 ns delay. The resulting 
with a moderate quality reference oscillator contained within delays of 49 ns for P(Y) and 490 ns for C/A are sufficiently 
the LSS device. The reference oscillator is on the order of 65 dose to optimum to be quite practical. 
0.1 parts per million (PPM) frequency accuracy. This A mixer in each of the spectral compressors 404. 405 
implies that for compressing GPS signals from the P(Y) multiplies the in-phase and delayed path signals, which has 
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the effect of compressing the spectrum into a width of 70 Hz configured to contain from 10 seconds (about 200 samples) 

with a center frequency of 10.23 MHz. The stability of the to several minutes of state vector observations, as may be 

satellite-transmitted 10.23 MHz signal that controls the PRN required or commandable from the host authentication 

sequence generators within the GPS satellites is governed by server 250. (The larger buffer capacities can be implemented 

(he atomic oscillators within the satellites and is not a 5 (Le., 20 kilobytes for 100 seconds) for other applications, 

function of the first local oscillator frequency within the LSS such as initial remote client location registration or possibly 

400. One and only one spectral line is created by each to derive the location of a party attempting a fraudulent 

satellite because of the w™*imfll length code structure of the transaction with a stolen LSS device.) These FIFO buffered. 

PRN. The coded signals have a very low cross-correlation analog-to-digital converted values arc (in the case of the 

product between the satellites, and thus the mtermodulation 10 client LSS) then transferred upon challenge by the host 

products are low to non-existent Sec. 44 GPS Signal Structure server for subsequent processing into the state vector of the 

and Performance Characteristics* 1 . J. J. Spilker. Navigation. remote client 

Institute of Navigation, ISBN 0-0936406-00-3, VoL No. 2, The contents of (he buffers 410. 411 are formatted for 

Summer. 1978. transmission by a message formatter 412. clocked by an 

The signals output by spectral compressors 404. 405 15 arbitrary time code generator 413. The resulting formatted 

result from a final down conversion to a baseband using a state vector observations 415 are transferred for the initial 

reference oscillator 414 having an accuracy of 0.1 PPM or site log-in registration process and for the LSS response 

better. The actual frequency of operation of this second local from a remote client that seeks host access and provides the 

oscillator 414 will be a solved-for parameter in the final state state vector observations for testing against the host's pre 

vector estimation procedure, which will be performed by the 20 determined authentication criteria. As discussed in greater 

host authentication processor 214. detail below, the state vector observations are typically 

It is now possible to establish the rationale for detennin- tested for consistency with authentication criteria based on 

ing the nominal value for the down conversion frequency to * e registered locatioo of the remote client, 

be used in the LSS device 400; namely, a reference oscillator Although the preceding discussion has been focused 

whose accuracy is 0.1 PPM at a nominal 10 MHz causes 1 25 primarily on the LSS 203 in the client authentication means 

Hz offset The nominal Doppler frequency shifts along the 240, in the preferred embodiment. LSS 203 will be essen- 

lines of sight from the LSS device 400 to the multiple GPS tially identical to the LSS 218 that prepares state vector 

satellites above the horizon are 127 Hz. A possible LSS observations under control of the host authen t icati o n server 

velocity-induced Doppler shift (<220 m/sec, 440 knots) 250. However, in some applications where the LSS 218 is 

results In a 6.8 Hz shift Thus, the dominant effects on the 30 immediately adjacent the host authentication server 250. 

chipping frequency spectral line position are the combined some of the compression and formatting of the state vector 

Doppler effects from the OPS satellites and a possible observations required for effective communication on stan- 

velocity of the remote client The least influential effect is dard lines from a remote site would not be necessary, 

from the reference oscillator frequency accuracy. The sum of f. Host Authentication Server Hardware 

the worst case combination of these tolerances is 34.8 Hz. 35 in piQ. 2, the client authentication means 240 is shown 

For convenience in processing, it is useful to nave the transferring its compressed band GPS signals, the state 

spectral lines remain on the same side of the zero frequency. vector observations, to the host authentication server 250. 

Assorting that the center frequency of the compressed The data processing functions operating on GPS signals sent 

baseband is placed at 50 Hz. the negative tolerance of 34.8 to the host authentication server 250 are performed by a 

Hz makes it necessary to process a band extending from 15-2 40 specially configured 80486/100 MHz or Pentium class per- 

Hz to 84.8 Hz. son&l computer architecture or. alternatively, a workstation 

e. LSS Hardware Operations Details class computer. 

The primary function of the reference oscillator 414 is to Referring now also to FIG. 5. the data processing at the 

remove the frequency bias that contains no positioning 45 host authentication processor 214 as aided by the client 

information, leaving only the small bandwidth signals of 70 access control 212 is explained. At the host authentication 

Hz for the POO channel and 7 Hz for the C/A channel which server site, the processing sequence of events begins with 

are then digitally sampled at 200 Hz for the P(Y) channel challenging the client authentication means 240 at the 

and 20 Hz for the OA channel. The output level of spectral remote client to respond with the digital raw GPS data. A 

compressors 404 and 405 is +13 dBm (1 Vrms at 50 Ohms) 50 part of the host authentication server 250 is a LSS device 

and is used as the input to a pair of analog to digital 218 which transfers state vector observations acquired for 

converters 408 and 409. which are triggered by digital the host site (usually locally acquired and of similar duration 

sampling signals from oscillator 406 and divider 407, to the client-supplied observations) to enable the DGPS 

respectively. Each analog-to-digital converter 408, 409 per- processing. 

forms an eight-bit sampling of its respective input waveform 33 Before turning to the processing of the state vector 

at a rate of 200 Hz or 20 Hz. The actual number of bits in observations from the client LSS device 203 and host LSS 

the analog-to-digital conversion can be a variable that might device 218, comment on the contents of the authentication 

be commanded by the host server but will always be at least criteria information database is useful An important feature 

one bit For the P(Y) channel, the choice of 200 Hz is of the codeless form of this invention is the ability to identify 

governed by the need to adequately sample the 152 Hz to # each of the individual satellite signals arriving at the location 

84.8 Hz physics band from the LSS. The 200 Hz sampling of the LSS's without PRN code use or telemetry interception 

rate is 18% above the minimal rate of 170 Hz of the Nyquist at the client location. However, at the host, where more 

sampling criterion. extensive GPS information, e.g.. satellite orbits, is required 

The outputs of the analog to digital converters 408. 409 for efficient processing, a conventional GPS receiver (not 

are transferred to digital memory buffers 410. 41L which 65 shown) is used to capture and provide such information for 

function as first-in, first-out (FIFO) data buffers for C/A and the authentication criteria information database 511. One 

P(Y) data, respectively. The FIFO buffers 410. 411 can be suitable form of receiver is die Micro Tracker, manufactured 
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and sold by Rockwell/Collins. Cedar Rapids, Iowa with an After the spectral lines are isolated, the preprocessor 505 

antenna shared by the conventional C/A receiver and the associates each spectral line with an individual satellite and 

host's LSS device. This C/A receiver provides three com- converts the amplitude, frequency and phase values into 

poncnts of geodetic information to the database 511 for use equivalent range and range rate values in an output stream 

by the host authentication processor 214: 5 505. 

(1) the approximate (within 100 meter) location consist- The same buffering, organizing and checking functions 
ing of latitude, longitude and height components of the state that are performed on the client LSS data are performed on 
vector of the host authentication server processor, which the host LSS data. That is. buffering, organizing and check- 
need not be accurately set within the World Geodetic Datum, ing functions are performed at the host state vector obser- 
(In fact, there is some explicit value to intentionally offset- 10 vation manager 507 on the host authentication server's LSS 
ting the host authentication server geodetic location by data records (arriving via channels 219. 221 and 225) from 
several tens of meters, to add an additional level of security. a host-controlled, predefined location. The output stream 
The differential baseline vector solution for the individual 5 08 of host observation manager 507 consists of host LSS 
authorized remote client locations would then contain that data associated with UTC of the same type as the output 503 
host server bias. This would not be general knowledge and 15 from client observations manager 502. 

mflirr it more difficult to spoof a host by first having known The output stream 508 goes to the host state vector 

the true geodetic coordinates of the remote client location)] ; observations preprocessor 509. which performs Fast Fourier 

(2) the GPS satellite orbital elements in the form of the Transform (FFT) processing. As with the processing in 
almanac and the precision elements provided by the C/A preprocessor 504, the result of FFT processing here is a 
receiver, and 20 discrete frequency spectrum (set of spectral lines) composed 

(3) an approximate epoch time based on Universal Time of amplitude, frequency and phase values for the entire 86 
Coordinated, which is needed to an accuracy of only 0.01 Hz bandwidth of the received channel sensed at the host's 
second to meet the requirements of 1 meter differential LSS 218. After the spectral lines are isolated, the prepro- 
positioning accuracy for a 200 km separation between the cesser 509 associates each spectral line with an individual 
LSS and the host server site. 23 satellite and converts the amplitude* frequency and phase 
As will be seen, this information is accessed by various values into equivalent range and range rate values in an 
components and used at various stages of the processing output stream 510. 

shown in FIG. 5. State vector observations from both sources are required 
The normal operating scenario and functional compo- to perform a differencing of the frequency and phase 
nents for host authentication processing are as follows. The 30 observables, so as to explicitly eliminate the selective avail- 
client authentication means 240 at the remote client transfers ability (SA) dithering which is imposed on the GPS signals. 
10 seconds of P(Y) channel data and/or 100 seconds of C/A Thus, both of the output streams 505 and 510 from the client 
channel data captured by LSS 203, comprised of 2000 bytes and host state vector observations preprocessors 504 and 
plus communications overhead. That is, the contents of the 509. respectively, are communicated to the difference opera- 
buffers 410 and 411 arc transferred via channels 209, 211 35 tor 513. The difference operator 513 subtracts the host state 
and 213 to me client state vector observation manager 502. vector observations from the client state vector observanons 
which stores the transferred data in a buffer and organizes to produce differential state vector observations for each of 
the data to ensure that it is in the right sequence and mat the common view satellites. The output 514 of difference 
there are no gaps in the sequence. The manager 502 also operator 513 is the set of client differential state vector 
receives as an input UTC epoch time 521 from database 511 40 observations. The set of client differential state vector obser- 
and provides the association between the arbitrary time base vations becomes the input to state vector final processor 5 15. 
In the sequence of buffered data and UTC. Thus, manager together with GPS orbit information 512 from the database 
502 acts on the 2000 sample points, representing a 10 second 511. This processor 515 develops the baseline vector, which 
time series, preparing an output stream 503 for client state is the x, y, z offset of the remote LSS 203 from the host LSS 
vector observations preprocessor 504. 45 21*. This operation is a simultaneous estimation processor 

Processing in the client state vector observations prepro- filter, such as, a Householder Transformation, that evaluates 

cesser 504 begins with Fast Fourier Transform (FFT) pro- the three dimensional vector components, time bias, differ- 

cessing. The result of FFT processing is a discrete frequency ential receiver phase bias and the frequency offset term of 

spectrum (set of spectral lines) composed of amplitude, the reference oscillators 414 of the LSS's. 

frequency and phase values for the entire 86 Hz bandwidth 50 More specifically, the state vector final processor 515 

of the received channel sensed at the remote client's LSS computes the expected satellite Doppler shift, derived from 

203. The FFT functions of preprocessor 504 may be imple- a nominal position for the LSS and any approximate velocity 

mented in cither software or firmware and derive their phase for the remote client. The Doppler shift far each satellite is 

information from an arc tangent operation on the in-phase decomposed into southern, eastern and vertical components 

divided by quadrature amplitude ratios. 55 in the topocentric reference frame. These three components 

The processing continues by identifying each of the comprise three of the unknowns for the system of equations, 

satellites that are present, as represented by a spectral line The fourth unknown is the client LSS reference oscillator 

having been extracted from the FFT digital signal process- 414 frequency offset which will be estimated relative to the 

ing An analytical model of the situation is formed in state host server reference oscillator. Each observed satellite 

vector observations preprocessor 504 by using the known 60 signal source presents one equation containing these 

physical circumstances. The required inputs to this model unknowns. Hence, a minimum of three observations is 

are the locations of the host authentication server site, required for two-dimensional measurements and four obser- 

remote client registered location, the GPS satellite orbital vations for three dimensions. 

elements (to predict which of the perhaps twenty-four pos- A computation of the Geometric Dilution of Precision 

sible GPS satellites are likely to be in common view of the 65 (GDOP) for the satellite constellation geometry existing at 

remote client and host authentication server) and the UTC every epoch is performed in processor 515. A Householder 

data from database 511 supplied with the input stream 503. rotation and back substitution are then used to triangularize 
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the observation matrix and solve the equations. This is P(Y) channel phase tracking can be exploited to a precision 

equivalent mathematically to a Kalman filter update; of a few centimeters, which can be used to resolve the 86 cm 

however, it has been shown to be more numerically stable. ambiguities of the L1-L2 data type, which, in turn, can be 

("See. Factorization Methods for Discrete Sequential utilized to achieve millimeter precisions in differential posi- 

Estimation". G. J. Bierman. Vol. 128. Academic Press. 5 tioning. 

1977.) The solution vector is in units of meters of either the As noted above, conventional C/A code -correlating GPS 
P( Y) or C/A phase or meters per second equivalent for the receiver at the host server site extracts the GPS data broad- 
frequency offset term. The components of this solution cast by each of the in- view satellites and provides certain 
vector corresponding to positioning and velocity are information to the database 511. Specifically of interest are 
obtained by multiplying the received P(Y) channel chipping 10 the GPS satellite orbital elements, the Universal Time Coor- 
wavelength (293052256 m) or the C/A channel chipping dinated (UTC) and the geodetic location at which the LSS*s 
wavelength (293.052256 m) to achieve the estimated values associated with the host authentication server and client 
for the positioning and velocity measurement. authentication means are operating. The required accuracies 

When the baseline vector is added to the host position of each of these quantities will now be examined, 
vector in processor 515. the result is a set of state vector is The accuracy to which the UTC epoch time is to be 
attributes of the client, which is provided as output 516 to the known is rather modest For example, if it is desired to 
final comparator operation in the state vector attribute com- register the position of a remote client to an accuracy of one 
parator module 518. If the comparator 518 determines that meter, then it is required to know the time at which to 
the authentication criteria are satisfied, it produces an affir- evaluate the satellite orbit elements in order to correctly 
mative authentication signal on line 519. Otherwise, the 20 estimate the individual satellite positions and correctly corn- 
authentication signal on line 519 indicates mat the an then- pute the vector separation. Consider that a 1 meter quality 
tication criteria were not satisfied and the client is not differential positioning is required over a separation of 2000 
granted access to the host (It should be noted that the output km. The differential attenuation of the orbit error over mis 
516 is also provided to the client and host state vector baseline would be only 10 to 1. The angular equivalence of 
observations preprocessors 504. 509 as an input to [iterative] 25 1 m/2.000.000 mis 0.5 micro-radians, which for the GPS 
calculations that occur mere.) satellites at 26.000 km geocentric radius corresponds to 13 

While not every security situation addressable by mis meters. Because the satellite's along-track velocity is 3800 

invention will require sub-meter or millimeter precision in m/s.aUTC error limit of 3 millisecotKis is required to allow 

resolution of the state vector from state vector observations meter quality differential positioning at continental size 

provided to the host as discussed next very high precision 30 scales. The conventional GPS C/A receiver mat is available 

is available. at the host server site is capable of supplying 0.1 microsec- 

As an example, within the ten-second time series input to ond timing traceable to UTC. and thus 3 ms accuracy is no 

the individual FFT operations, the resultant frequency bin problem. 

resolution is 0.1 Hz. The FFT operations are performed on The next timing element mat enters is the accuracy with 
five-second segments. Using the signal power in the bins 35 which the latency of the remote client data must be deter- 
adjacent to the strongest peak, it is possible to interpolate to mined by the host authentication server. The maximum 
better than an individual 0.1 Hz bin width and determine the range rate on the lines of sight to the s atell it es is approxi- 
most probable frequency value to an accuracy of 0.02 Hz. mately 700 m/s so that in order to determine a differential 
Because the FFT operates on five-second segments, and positioning accuracy to 1 meter, the differential timing 
given a frequency uncertainty for an individual spectral line 40 between the remote client and host server must be deter- 
of 0.02 Hz. the phase will be uncertain by 5 secondsx0.02 mined with an accuracy of approximately 1 ms. Hie LSS 
cycles/second=0. 10 cycle. This phase is well within the 0. 16 design!?] of the digital response to being challenged by the 
cycle criterion needed in order to perform phase connection host server is to return a time -interval-con strained raw data 
between adjacent and overlapping time series intervals. set whose discrete samples of die baseband signals are 
Given 12 FFT-derived estimates of amplitude, frequency 43 separated by 5 ms tor the P(Y) channel and 50 ms for the 
and phase every min ute a least squares quadratic (or higher C/A channel These LSS response packets are also accom- 
order. if necessary) fit to the phase data can be performed at panied by an arbitrary time code, which is maintained in the 
a prcdeterrnined rate that will account for possible frequency remote client LSS. As a part of the host server data 
drift of the reference oscillator in the relevant LSS. Given an processing, the actual UTC time tag that applies to the 
FFT signal-to-noise ratio of 20. the equivalent phase noise so remote client LSS will be estimated, 
will be 0.05 radians (0.008 cycle). The aggregate precision The accuracy to which the satellite orbits must be known 
of the frequency measurement over a one minute interval can also be assessed by the influence that such an error will 
will be 0.008 cycle/60 seconds or 1.2x10""* Hz which is have on the maximum rate of change of the Doppler shift 
equivalent to 25 meters, given a positioning sensitivity of 5 The period of the GPS circular orbits is nearly 12 hours and 
microHertz per meter for the P(Y) channel. Given a hori- 55 the geodetic radius of the orbit is 26.500 km. Therefore, the 
zontal dilution of precision (HDOP) of 2 and four or more along-track velocity of the GPS satellites is 3.86 km/s. 
satellites, each with a Doppler measurement precision Currently. GPS broadcast orbits are accurate to 10 m to 20 
equivalent to 25 meters, the positioning solution is equiva- m. The orbit error budget to allow 1 meter accuracy over a 
lent to 50 meters. 2 ,000 km separation is determined by the ratio of the 
In accordance with the description of the codeless posi- 60 satellite height (20,000 km) to the site separation (2.000 km) 
tioning methods in U.S. Pat No. 4J97.6T7, tracking of the times the positioning accuracy ( 1 m) which is then 10 meters 
connected P(Y) channel phase data provides the approxi- on -orbit However, under conditions that are consistent with 
mate baseline vector with sufficient precision to resolve the U.S. Department of Defense SA policy that supports posi- 
C/A cycle ambiguities, which are 293 meters. The C/A cycle tioning of accuracy of 100 meters 2-d RMS, the orbit 
phase precision of 5 meters is then used to resolve the 293 65 accuracy is ar^roximately 120 meters. (See, Federal Radio- 
meter ambiguities of the P(Y) channel in order to achieve Navigation Plan, DOD-4650.4, DOT-TSC-RSPS-&4-8, 
sub-meter positioning precision. In a similar manner, the I>partment of Transportation, 1989.) If the broadcast orbit 
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accuracy were to be degraded to 120 meters, then the system V. Authentication Criteria 

accuracy would become 12 meters at 2,000 km separations. a. General Considerations 

The accuracy of the host server geodetic position can be The application of the authentication criteria stored in 

easily met by accepting a C/A derived position whose database 511 (database 608 in the single LSS embodiment) 

accuracy will be 100 meters or better. An ordinary map can 3 is me final step of the authentication procedure and is 

supply the necessary accuracy to support remote client/host implemented in state vector attributes comparator 518 

server operations. A U.S. Geological Survey quadrilateral (comparator 611 in the single LSS embodiment). Basically, 

chart of 1:20.000 scale can provide locations to 20 m given me state vectQr attributes that have been defined as relevant 

identification of the host server site with a 1 mm map have \ xcn extracted from the state vector observations 

location accuracy. 10 supplied to the host authentication server 250 (or 150) and 

On occasion, two or more satellites will have Dopplcr ^ m compared to pre<tetexmined authentication criteria, 

frequency shifts that are within 0.1 Hz of one another. This v me ltate vector attributes distilled from the state 

r^ier colUsion is dealt with vector observations supplied to the host authentication 

504 509. either by ternpo^y delehng the^o^tesin sector ^*va ppn ^ ^ location * 

SKS ITirea^^ « compared to the particular ^^""^ 

resolution method can be actoved by phase-tracking the ^ that cbent stored in ^.^^ 5 ¥£^ " 

signals over an interval longer than the ten seconds of the LSS embodiment) or to a list of authorized chent locations 

FFT method, which achieves frequency bin widths narrower stored there, If the host authentication server produces a 

than 0.1 Hz. By phase-tracking individual satellites every remote client location that matches the previously registered 

five seconds over a 100- second interval with phase noise of 20 client location within a predetermined threshold (eg,, three 

0.02 cycle, it is possible to attain an equivalent bin width of meters) access is granted to the remote client user. The range 

0.2 mHz. which basically eliminates the Doppler collision of location values considered acceptable is a variable that 

problem. The fact that two satellites have nearly the same can be set depending upon the separation between the 

Doppler shift (within 0.1 Hz) is also information that is remote client and the host authentication server and the 

useful in the simultaneous estimation filtering approach. 25 quality of orbits available for real time processing. That 

IV. Single Client LSS Embodiment proximity range for acceptance can be from rnillimeters to 

As noted above. FIG. 1 shows an embodiment of the several meters, depending on the security needs and on other 

invention in w hich the only state vector observation s mat are factors that might affect the ability of the system to make an 

used in the authentication process are provided by LSS 103 exact (ar ncar geodetic location match, 

at the client authentication means 150. FIG. 6 shows how the ^ nost authentication server manager can. if desired 

host authentication server 150 proceeds in that station. foUow ^ of ^ authentication procedure. For 

There are a great many sinular^es between the cedents thTestimatcd reference oscillator offset and data 

and aumentication process in this dmation and that shown in ™ occssing is ^ved to the computer 

FIG. 5. Accordingly, only the broad differences are empha- lawnwy uuiwg urc f»v^»wk " , , . 

Ed I hoc ^TbTSL is referred to the above ciscuSof mass storage and can be simultaneously Splayed for toe 

FIG 5 for further details 35 host authentication server manager on a momtor. The moni- 

As seen in FIG. 6. state vector observations from the tor output can also show the a^m elevation and satellite 

cUent authentication means 150 are transmitted to the host vehicle number of all potentially visible satellites. Satellites 

authentication processor 114 via channels 109. Ill and 113. which have been actually received in common can be 

The state vector observations from the client authentication indicated, and observed signal-to- noise ratio recorded, 

means ISO are first processed at the client state vector 40 including a polar plot indicating the relative position of the 

observation manager 602 and the output 003 of the manager satellites to the LSS's. dilution of precision measurement of 

602 is passed to state vector observations preprocessor 604. the current observed geometry, status messages regarding 

This preprocessor 604 receives certain GPS orbit informa- Doppler collisions (satellite Doppler values too close 

tion*06, UTC data 621 and omer parameters received by a together to uniquely identify each satellite, i.e.. 0.8 Hz 

conventional GPS receiver (not shown) controlled by the 45 difference, which are managed within the state vector obser- 

host authentication server 156 and stored in the authentica- vations preprocessors), differential oscillator offset 

tion criteria database 608. The output 605 of the preproces- variations, and the east, north and vertical position and 

sor 604 goes to the state vector final processor 607. which velocity components averages spanning a set time interval 

also receives certain GPS orbit information, UTC data and (10 to 1000 seconds), depending in the level of assurance 

other parameters stored in the authentication criteria data- 50 desired in the authentication. The operator can thus watch 

base 60S. The output 610 of the state vector final processor the position and velocity information derived from the 

607 is a set of state vector attributes that is used as input to DGPS processing as it is compared with the registered 

the state vector attributes comparator 611. The state vector remote client location information (or, in some situations, 

attributes corrmarator 611 also receives as input on line 609 the transferred C/A receiver position and velocity data) to 

the authentication criteria stored in the authentication crite- 55 verify that the remote client is cither at the fixed geodetic site 

ria database 608. If the comparator 611 determines that die aumorized (or. as discussed below, is willing to reveal its 

authentication criteria are satisfied, it produces an affirma- location if in a mobile environment), 

five authentication signal on line 612. Otherwise, the authen- Security afforded by the present invention is due to a 

tication signal on line 612 indicates that the authentication cornbination of factors. One is simply the level of precision 

criteria were not satisfied, and the client is not granted access 60 available. If the level of precision required by the authen- 

to the host. tication criteria is high, then die fraudulent client will not be 

The processing in this embodiment that yields the state able to get access by seeking access from a site that is close 

vector attributes differs from the DGPS processing in the to the aumorized site but not sufficiently close. The use of 

embodiment shown in FIG. 5 by the fact that an LSS is not Morrnation from both the P(Y). C/A channels also has 

available at the host authentication processor to act as the 65 advantages. 

fixed correction site to eliminate the SA dither and atmo- The use of the codeless mode allows the compression of 

spheric errors. the P(Y) and C/A channels by a factor of a million to one of 
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all in-view satellites, perhaps as many as twelve and is authentication server challenge. If both the host and the 

performed without knowledge of the actual code details. The client are equipped with a LSS and authentication means, 

compressed signals are then digitally sampled and formed two-way authentication can be accomplished between pro- 

into signatures to be transferred when appropriately chal- tected network host servers and a client that also has the 

lenged The universe of signatures that can be created by this 5 location signature challenge option and the ability to apply 

method is virtually infinite . is continuously changing (due to authentication criteria. 

satellite orbital dynamics and U.S. Department of Defense The file of client geodetic locations (latitude, longitude 

imposed selective availability that dithers and degrades and height) that constitutes the authentication criteria mat 

conventional code correlating GPS C/A receivers), is non- allows host access must be protected Only the host server 

repeating and is everywhere unique. The output of the client 10 system manager (preferably two persons simultaneously 

authentication means changes every five milliseconds, so acting) should have the authority to add or delete authenti- 

tbat even if a LSS response intercept did occur, the signature cated locations. As mentioned above, two other steps can be 

will be of no value to an adversary, because it becomes stale taken to help ensure the integrity of the authentication 

so rapidly. The host authentication server software has the criteria. First, the authentication criteria can be encrypted, 

ability to estimate the signature latency with an associated is Second* the host authentication server geodetic location can 

limited tolerance for transmission delays. Attempts at sig- be intentionally offset from the standard World Geodetic 

nature reuse will result in DGPS solution divergence mat Datum. The differential baseline vector solution for the 

will produce no position result whatever. Attempts to individual remote client locations would reflect that host 

"guess" signatures will face a combinatorial challenge of bias. This bias would not be generally known and would 

finding an acceptable string of 16 kilobits. 20 make spoofing based on knowledge of the host's geodetic 

The security afforded by the invention is actually coordinates difficult 

enhanced by the limitations placed on the broadcast GPS c Establishing Authentication Criteria for Fixed Client 

signals known as Selective Availability (SA), which other Entity 

GPS receivers find as a limitation. The conventional GPS To be effective, the integrity of the authentication criteria 
receiver user must either tolerate the 100 meter accuracy 25 used at the host authentication server must begin at the time 
performance level or somehow correct the SA effects, such these criteria are first established and continue thereafter. In 
as with differential corrections services information input to the process of initial site registration, the host authentication 
the GPS navigation receiver. The SA policies intentionally server system manager will have a priori information on the 
degrade the satellite pseudo ranging signals by dithering the approximate location of the client site to be registered. That 
apparent distance between the satellites and the GPS 30 a priori information might be as simple as the street address, 
receiver which results in a less accurate position solution which will allow the acquisition of approximate map coor- 
that changes continuously. As a practical issue, it is not donates. This map-based method could provide a horizontal 
possible for an adversary to create a fraudulent version of position accuracy of perhaps 0.1 to 1 km. 
future pseudo range values (or signatures) in order to spoof For greater security, it is necessary to get a more accurate 
this invention to gain access. For example, if the DGPS 35 location as the basis for the authentication criteria for any 
process achieves 0.5 meter accuracy, the adversary attempt- client. To do this, a system installer will have a specialized 
Ing spoofing would require orbits whose accuracy would be equipment set that will contain a conventional C/A GPS 
0.5 meter, this is not possible in real time. receiver to determine the approximate LSS roof mounted 
b. Certain Procedures to Enhance Security position within 100 meters. The LSS would then be con- 
By use of certain fvocedures together with the basic 40 nccted as if it were installed equipment for an interval of 1 
invention, additional security can be achieved. Periodic or to 24 hours with its data output being logged onto a laptop 
"continuous** authentication can be performed to ensure computer with one or more diskettes used to store these data, 
system integrity once host access is granted, to guard against The data are then transferred electronically, package mailed 
the possibility that an adversary may have hijacked the or transferred to die host authentication server by conven- 
channel after the initial, log-In authentication stage allowed 45 tional secure means. The host authentication server then 
client access to the host A burst of LSS (GPS) raw data is processes these data from the client site and derives the 
used to initiate the geodetic authentication at log-in that baseline vector between the remote client and host authen- 
allows the channel opening to the host. However, continuing tication server with an accuracy of meters to millimeters as 
communications carrying a low bit rate raw data stream may be required to assure security. The resultant remote 
transparent to the user can continue the authentication 50 client site registration is then compared with the a priori site 
process on a periodic basis. This low bit rate continuous position from a map or OA receiver derived data to verify 
authentication can be implemented by transferring the 20 Hz the reasonableness of the coordinates before they become 
sampling of the C/A channel raw data from the remote client authentication criteria in the host authentication server data- 
LSS. While only a low bit rate sample is required, it may not base. 

be sufficient to confirm location w ithin the same tight criteria 55 In an operational environment the LSS device is installed 

as were used at log-in, unless the incidents of confirmation and approximately positioned using a conventional C/A 

are several minutes apart. Thus, there is a trade-off between receiver to derive the geodetic position of the LSS antenna 

keeping the data size of the continuing sample used to with 100 meter accuracy. Given such C/A receiver data as a 

confirm location small, and the precision of the confirmation priori constraints on the baseline vector, it is not necessary 

calculation or the frequency with which a precise conflrma- 60 to process the Doppler observations to resolve the 293 m 

tion can be made. C/A cycle ambiguities. However, in the absence of the C/A 

The system can be used to protect networks in several receiver positioning data, the codeless state vector obscrva- 

difFerent configurations, depending on the end user require- dons can be used to solve the baseline vector to a precision 

ments. In the basic form, each remote site, whether an of a few meters. This result can be utilized for the location 

individual PC. workstation or a remote client/host server 65 authentication function or can serve as the 293 meter 

network, requires a LSS and client authentication means in ambiguity resolver for the P(Y) channel that will allow 

order to gain access to a protected network through the host positioning with sub-meter precision. 



08/16/2004, EAST Version: 1.4.1 



5,757,916 

27 28 

As previously discussed in connection with FIG. 3Jv particular location, it is first necessary to remove the iono- 
another approach that is convenient but may be less secure spheric errors. This is a fact that can be exploited to 
is to permit the client to register by providing positional data advantage for increased security in certain environments, 
as part of a tog-in registration. This mode provides a method since it brings into play yet another level of complexity that 
to register a site quickly with the host authentication server a makes it very difficult for an adversary to spoof the signa- 
software. By selecting this mode, the client authentication ture. The nullimeter level system will require higher than 
means software accesses the host server and requests a site normal accuracy for satellite orbits, 
registration procedure. At this point the host server com- It is also anticipated that a combined C/A code receiver 
mands the receiver to perform a number of operations. The with a codeless subsystem will have an advantage for 
primary command is to transfer the buffered LSS data, so 10 authenticating a mobile client The issue of a mobUe client 
that the relative position can be estimated with 1 meter needing host access is a more challenging task than the fixed 
accuracy. This process will have a variable duration. For site to fixed site remote client/host server situation. A general 
client sites known a priori within 100 meters, the position motivation for using the invention is to remove the anonym- 
can be determined in less than one minute (depending upon ity factor of the fraudulent actor who could come into a 
the crosslink communications speed). For solutions starting is system from anywhere in the world. Also implicit in the 
with a uncertainty of 3 kilometers or more, between 4 and invention concept is the notion mat a legitimate user is 
6 minutes of data might be needed. This is dependent upon willing to reveal the user's location to the host authenuca- 
the simultaneous parameter estimation ability to converge. tion server in the process of gaining access. In the normal 
and the data crosslink rate. fixed site deployed system, the location of a remote client 
d. Special Security Situations 20 can be determined in three dimensions and then registered 
In applications where a high density of users exist in a for subsequent comparisons, in order to decide whether or 
single facility, a single LSS can be used to authenticate all not to grant access to the host or terminate the communi- 
asstgned users. The LSS would likely be integrated with the cations connection. However, the mobile user is by defini- 
facility's network host server or gateway in this scenario tion not at a fixed, previously known location and therefore 
This application assumes that the integrity of a facility's 23 cannot be registered. 

physical security has not been cotrnpromised. A host authen- One solution is to provide the authorized mobile client 
rication server challenge system can be configured to allow with special client authentication means that not only 
access to any authorized LSS device making it usable for includes the components shown in FIGS. 1 and 4 but also 
Internet and enterprise network applications. includes a conventional C/A receiver and means for corn- 
Operations in large office buildings present a special 30 rnunicadng its output (possessed positional data) along with 
circumstance, because adequate sky visibility is restricted to the state vector observations from the LSS. By using the OA 
only the roof area, electrical power may not be available receiver output of latitude/longitude and height even if only 
there and coaxial cables are not likely available or imprac- correct within hundreds meters on the horizontal, together 
tical for installation. Only telephone lines may be available. with the raw codeless state vector observations, the host 
In such a circumstance, the approach is to utilize existing 35 authentication server can verify that the client is within 
copper telephone lines to simultaneously power the roof hundreds meters of the location claimed by the C/A receiver, 
mounted LSS device and retrieve its signal output at one or And both forms of data can be examined to see if the client 
more interior sites by way of the copper wire pair. For best location is at least geographically plausible (e.g., somewhere 
security, however, the roof mounted LSS device would not in a state or city). Because of the underlying notion in this 
produce a potentially interceptable. flnaL formatted digital 40 authentication system that a legitimate user is willing to 
message. Rather, it would be preferable to do only enough allow the user location to be known to the host server, a 
down conversion to produce a signal that could make use of mobile client that fails to provide LSS data or LSS data that 
the copper telephone lines, but leave the signal in somewhat produce a plausible locational solution wfll be denied host 
raw analog form, so as to allow for the opportunity to access. 

introduce individual LSS device attributes for specific loca- 45 For certain mobile users, the authentication criteria may 

dons within the building in a final conversion stage. These be somewhat different; some additional criteria can be 

attributes could be used to identify individual units within a applied. For example, for an aircraft or a plane with a known 

building which shares a single LSS geodetic location. flight plan or travel path, the authentication criteria can be a 

There are also options to perform positioning with accu- scries of geodetic positions combined with a velocity factor, 
racies to the millimeter level, which will be subject to subtle 50 Such a stream of data as would be generated by a traveling 

errors induced by multipath signal reflections of the indi- LSS would be very difficult to spoof, 

vidua! site surroundings. These have the effect of providing VL Code Correlation Embodiment 

a unique signature for the authorized location that can be Although the preferred embodiment of the invention is 

verified on challenge as a part of the LSS response. To based on codeless technology for capture of the state vector 
implement the mm level system, it will be necessary to 55 observations at the client LSS and any LSS associated with 

employ greater sophistication in the differential GPS the host authentication server, conventional code correlation 

methodology, which wfll require simultaneous reception of technology can also provide the basis for a location signa- 

the LI (1575.42 MHz) and L2 (1227.6 MHz) transmission ture from a client As shown in FIG. 7. a conventional code 

bands from each of the GPS satellites being received. The correlation GPS receiver 712 can be adapted to perform the 
codeless reception of the LI and L2 bands will allow the 60 location signature sensing function, 

direct calibration of the effects of the Earth's ionosphere As seen in FIG. 7. the antenna 701, LNA 702 and 

which has the effect of causing errors in the baseline vector heterodyne down converter 763 are the same as in FIG. 4. 

processing whose effects are a few meters at long distances. The output of the heterodyne down converter 703 is passed 

The ionosphere is highly variable and unpredictable, par- to a multi-channel cross-correlator 704. The cross-correlator 
ocularly when considering effects at the mm level between 63 704 also receives as input the best estimate of the state 

client and host server sites that arc separated by hundreds of vector for the client as calculated and fed back by a 

km. Thus, to reveal the purely multipath signature of a navigation processor 707. The multi-channel cross- 
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correlator 704 can be commanded to output individual 
pseudo range measurements of all visible satellites. The 
outputs of the cross-correlator 704 are orbit information 705 
and state vector observations in the form of CJA pseudo 
ranges 706. both of which are provided to the navigation 
processor 707. Each of the pseudo range measurements 706 
output by the cross-correlator 704 will be effected by the SA 
dithering. The signature of the client is formed by time- 
tagged packets prepared by a message formatter 709 that 
receives as input OA pseudo ranges 706 from the GPS OA 
receiver in the cross correlator 704; date/time information 
from the navigation processor 707; and the best estimate of 
the state vector for the client as calculated by navigation 
processor 707 (Lc, the multiple pseudo range values to the 
several visible satellites which are being tracked). These 
nearly raw observations are then transferred via channel 711 
from the remote client 240 (140 in the single, client LSS 
version) upon the client being challenged by the host authen- 
tication server. 

At the host authentication server site, the CJA GPS 
receiver derived pseudo ranges from the remote client 
location are compared with similar pseudo ranges derived at 
the host authentication server. Corresponding satellite 
pseudo ranges from the remote client and host authentication 
server GPS receivers are differenced at difference operator 
515 to eliminate the SA dithering. A baseline vector solution 
between die host server and remote client is formed at state 
vector final processor 515 using the GPS orbit information 
either received from the real time broadcast or indepen- 
dently derived from orbit monitoring sites. Finally, in the 
comparator 518 the authentication criteria are applied to the 
state vector attributes that have been derived If the remote 
client is at a pre- authorized location, host access is granted; 
otherwise the connection between the client authentication 
means and the host authentication server is terminated and 
a report is made of attempted fraudulent entry. 

In this alternative code correlation approach, the state of 
the data that comprises the client signature is processed in 
order to derive pseudo range values at the remote client 
location prior to being transferred to the host authentication 
server upon the client being challenged. Because of this 
preprocessing at the client the possibilities for spoofing are 
somewhat greater than with the raw data derived from the 
codeless compressed baseband signals. 

The code correlation embodiment of the invention could, 
in addition to the CJA channel implementation discussed 
above, also be implemented with POO channel code corre- 
lation or a combination of code correlation using the C/A 
and P(Y) *hflpn#>j<i Also, the invention could be imple- 
mented with a combination of code correlation and codeless 
techniques. 

VII. Message Authentication 

In a variant on the challenge-response process that is used 
for authentication of a remote client seeking access to a host 
the present invention can also be used to apply a geodetic 
label or postmark to a message that originates from or passes 
through a client site. The value of such a geodetic postmark 
is that it may be of use to a recipient (particularly the 
ultimate recipient) of the message to determine its authen- 
ticity. 

In this variation of the invention, upon generation or 
receipt at a client of a message that calls for postmarking. 
LSS data is developed by an LSS at the client just as if it 
were for communication to a host entity in response to a 
challenge. The digitized packets of state vector observations 
are then inserted in the message. While many schemes are 
possible for placement of the postmark, as seen in FIG. 8. the 
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LSS data postmark 803 can be inserted in message 800 after 
the header 801 but before the non-header content 805 of the 
message. To aid processing at the recipient the post mark 
803 can include not only state vector observations but also 

5 a name or station ID and a time stamp. The message bearing 
the postmark can then be transmitted. Any recipient who 
wishes to review the provenance of the message can apply 
to the postmark the same techniques that are discussed 
above to see if the message originates from a client that is 

io recognizable under the authentication criteria that the recipi- 
ent wishes to apply. 

Postmarking of a message with a geodetic signature can 
be done at one or more client nodes through which a 
message passes. In fact, it could be required at each node 

IS through which a message passes. 

In order to prevent someone from altering a message that 
has been postmarked, the message with its postmark can be 
digitally signed by the client for example, using a public- 
key signature system. Alternatively, or in addition, it can be 

20 encrypted with a secret key known only by the client and 
intended recipient using a symmetric encryption algorithm. 
This also protects the message from unathorized disclosure 
or access. As a third possibility, the message can be used by 
(he sensor in its production of the state vector observations 

25 data so mat changes in the message would cause the state 
vector observations to become invalid. That is. a function of 
the message is used in the production of the state vector 
observations as these are associated with the message, 
whereby changes to the message cause the state vector 

30 observations to become invalid when a recipient of the 
message applies authentication criteria. This can be done, 
for example, by delaying the signals by an amount mat is a 
function of the entire message. 

As can be seen, mis postmarking technique can be used 

35 for transaction authentication. If the postmark is applied at 
the originating node, such as the home computer of a person 
who wishes to make a bank account transfer or a credit card 
purchase, the party receiving the message can check the 
postmark upon receipt to determine the authenticity of the 

40 message. Thus, here the signature is not used as a password 
for access to a host but rather as a password that the host 
having granted access, will use to determine whether the 
message is authentic and should be acted upon. 
VUL Variations 

45 Although the description of the preferred embodiment has 
been presented, it is contemplated that various changes 
could be made without deviating from the spirit of the 
present invention. For example, although the preferred form 
of invention has been described specifically in connection 

so with the NAVSTAR Global Positioning System, it is readily 
conformable for use with other Earm-orbiting. signal- 
transmitting satellites, such as. the Global Navigation Sat- 
ellite System of the former US. S. R. See, "GLONASS and 
GPS: Prospects for a Partnership". N. E Ivanov and V. 

55 Salistchev, Publication Reference. GPS World, Vol. 2. No. 4, 
April. 1991. 

It is therefore to be u nderstood that while a preferred form 
of method and apparatus has been herein set forth and 
described, various modifications and changes may be made 
60 without departing from the spirit and scope of the present 
invention as defined by the appended claims and reasonable 
equivalents thereof. 

What is claimed as new and desired to be protected by 
Letters Patent is: 
65 1. A system for dctennining the authenticity of a client 
seeking access to a host comprising: 

a client authentication device, comprising: 
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first sensor locationally associated with the client for 
sensing transmissions from two or more signal 
sources that produce constantly changing transmis- 
sions containing information sufficient to derive a 
state vector that identifies the client location, said 
first sensor including a converter for converting the 
sensed transmissions into first state vector observa- 
tions far communication to an authentication server 
associated with the host, and circuitry for commu- 
nicating the first state vector observations to the host 
authentication server, and 
wherein the host authentication server, comprises: 
an authentication processor for receiving and process- 
ing the first state vector observations and for com- 
paring one or more attributes of the state vector 
contained in the first state vector observations to 
predetermined authentication criteria, and circuitry 
for developing a user authentication signal when the 
one or more attributes of the first state vector obser- 
vations satisfy the predetermined authentication cri- 
teria. 

2. A system as recited in claim 1. further comprising: 
second sensor at a predefined different location than the 

first sensor for sensing transmissions from the same 
two or more signal sources sensed by the first sensor 
that produce transmissions containing information suf- 
ficient to derive a state vector for the predefined dif- 
ferent location, including a converter for converting the 
sensed transmissions to second state vector observa- 
tions for communication to the host authentication 
server, 

circuitry for communicating the second state vector obser- 
vations to the host authentication server, said host 
authentication server having a processor for receiving 
and processing the second state vector observations and 
for preparing a differential state vector from the first 
and second state vector observations and comparing 
one or more attributes of the differential state vector to 
predefined authentication criteria; and 

circuitry for developing a user authentication signal when 
the one or more attributes of the differential state vector 
satisfy the predefined authentication criteria. 

3. A system as recited in claim 2, wherein the second 
sensor is located at the host 

4. A system as recited in claim 2. wherein the second 
sensor is located at a site different from the host 

3. A system as recited in claim 1. wherein the first sensor 45 
uses codeless techniques to convert the sensed transmissions 
into first state vector observations. 

6. A system as recited in claim 2. wherein the second 
sensor uses codeless techniques to convert the sensed trans- 
missions into first state vector observations. 

7. A system as recited in claim 2. wherein the first sensor 
and the second sensor use codeless techniques to convert the 
sensed transmissions into state vector observations. 

8. A system as recited in claim 1. wherein the authenti- 
cation criteria comprise the geodetic location of the client. 

9. A system as recited in claim h wherein the authenti- 
cation criteria comprise the latitude and longitude of the 
client. 

10. A system as recited in claim 1. wherein the authenti- 
cation criteria comprise the latitude, longitude and height of 60 
the client. 

11. A system as recited in daim 1, wherein the authenti- 
cation criteria comprise the latitude, longitude and height of 
the client and a non-zero velocity of the client 

12. A system as recited in claim V wherein the authenti- 
cation criteria comprise the geodetic location of the client 
with an offset from a standard geodetic reference system. 
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13. a system as recited in claim 1, wherein the authenti- 
cation criteria comprise the geodetic location of the client 
and the authentication criteria are stored in encrypted form. 

14. A system as recited in claim L wherein the first state 
vector observations are compressed relative to the transmis- 
sions actually sensed by the first sensor. 

15. A system as recited in claim L wherein the first state 
vector observations are compressed relative to the transmis- 
sions actually sensed by the first sensor and the circuitry for 
communicating the first state vector observations to the 
authentication server communicates the transmissions 
sensed for a real time interval of X duration in a transmission 
to the authentication server having a real time duration less 
than X. 

16. A system as recited in claim 1. wherein the first state 
vector observations are compressed relative to the transmis- 
sions actually sensed by the first sensor in a ratio of at least 
100,000 to 1. 

17. A system as recited in claim 1. wherein the first sensor 
uses code correlation techniques to convert the sensed 
transmissions into first state vector observations. 

18. A system for applying to an electronic message 
existing at a client location and intended for a destination 
information for determining the authenticity of that message 
comprising: 

a sensor locationally associated with the client for sensing 
transmissions from two or more signal sources that 
produce transmissions containing information suffi- 
cient to derive a state vector that identifies the client 
location, said sensor including a converter for convert- 
ing the sensed transmissions into state vector observa- 
tions for communication to the destination; 
circuitry for associating with the message the sensed state 

vector observations from the sensor; and 
circuitry for sending the message towards its destination 
with the sensed state vector observations. 

19. A system as recited in claim IS wherein the message 
with associated state vector observations is digitally signed. 

2#. A system as recited in claim IS wherein the message 
with associated state vector observations is encrypted. 

2L A system as recited in claim 18 wherein the message 
with associated state vector observations is digitally signed 
and encrypted. 

22. A system as recited in claim 18 wherein the message 
requests a financial transaction. 

23. A system as recited in claim 22 wherein the financial 
transaction is a transfer from one account to another. 

24. A system as recited in daim 18 wherein the message 
is sent by a payor and requests a debit of an account of the 
payor. 

25. A system as recited in claim 18 wherein a function of 
the message is used in the production of the state vector 
observations as these are associated with the message, 
whereby changes to the message cause the state vector 
observations to become invalid. 

26. A method for dcternuning the authenticity of a client 
seeking access to a host comprising: 

at a client authentication device: 
sensing at a first sensor locationally associated with the 
client transmissions from two or more signal sources 
that produce constantly changing transmissions con- 
taining information sufficient to derive a state vector 
that identifies the client location; 
converting the sensed transmissions into first state 
vector observations for communication to an authen- 
tication server associated with the host; and 
communicating die first state vector observations to the 
host authentication server; and 
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at the host authentication server 
receiving and processing the first state vector observa- 
tions; 

comparing one or more attributes of the state vector 
contained in the first state vector observations to 
predetermined authentication criteria; and 
developing a user authentication signal when the one or 
more attributes of the first state vector observations 
satisfy the predetermined authentication criteria. 
27. A method as recited in claim 26. further comprising: 
at a predefined different location than the first sensor 
sensing transmissions from the same two or more 
signal sources sensed by the first sensor that produce 
transmissions containing information sufficient to 
derive a state vector for the predefined different 
location; 

converting the sensed transmissions to second state 
vector observations for communication to the host 
authentication server; and 

communicating the second state vector observations to 20 
the host authentication server; and 
at the host authentication server: 

receiving and processing the second state vector obser- 
vations; 
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preparing a differential state vector from the first and 

second state vector observations; 
comparing one or more attributes of the differential 
state vector to predefined authentication criteria; and 
developing a user authentication signal when the one or 
more attributes of the differential state vector satisfy 
the predefined authentication criteria. 
28. A method for applying to an electronic message 
existing at a client location and intended for a destination 
information for determining the authenticity of that message 
comprising: 

sensing at a sensor locationally associated with the client 
transmissions from two or more signal sources that 
produce transmissions containing information suffi- 
cient to derive a state vector that identifies the client 
location; 

converting the sensed transmissions into state vector 
observations for communication to the destination; 

associating with the message the sensed state vector 
observations from the sensor; and 

sending the message towards its destination with the 
sensed state vector observations. 
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